Ukraine grid hack
At the end of last year, grid operators were left contemplating the devastating impact of cyber attacks after a highly destructive malware was used to hack into multiple regional distribution power companies in Western Ukraine leaving 80,000 residents without power for six hours.
The U.S. Department of Homeland Security reported that a malware called BlackEnergy had infected Ukraine’s systems with a spear phishing attack via a corrupted Microsoft Word attachment. The malware and its subcomponent KillDisk then shut down computer operating systems, which in turn ended up shutting down the local electrical grid.
To make matters worse, hackers also sought to make it impossible for customers to report electrical issues to the electric company by blocking out the company’s phone system by bombarding customer service phone lines with calls. Cybersecurity firms have attributed the blackout to Russian hacking group, "Sandworm".
This is the first known example of a cyber attack bringing down a major power network and it serves to highlight the growing importance for grid operators to understand the risks associated with malicious cyber activity. Cybersecurity really ought to be placed on management's agenda before an attack occurs and not as a result of one.
Update on new European cybersecurity laws set to impact grid operators
The much awaited Network and Information Security (NIS) Directive will impose new network and information security requirements on operators of essential services and digital service providers. These will include requirements for TSOs and others to "ensure a level of security of networksand information systems appropriate to the risk presented". In addition, these organisations will be required to report security incidents to competent authorities (to be set up in each EU country). The primary goal of the NIS Directive is to contain cybersecurity threats and have a uniform and coordinated approach across EU Member States.
Under the NIS Directive an operator of essential services is considered to be an entity that provides a service that is essential for the maintenance of critical societal and/or economic activities, where the provision of that service depends on network and information systems and where an incident to the network and information systems of that service would have significant disruptive effects on the provision of those services. Transmission system operators and distribution system operators are specifically included in this category.
MEPs and representatives of EU governments reached political agreement on the draft NIS Directive late last year. This means that the path has been cleared for the new Directive to be formally adopted in the coming months. Once ratified, Member States will have two years to implement the measures domestically. Grid operators, watch this space.